41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119

General

Target

41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe
Size

419KB
MD5

6934b89e09882c4657617b1b3022b270
SHA1

e47157f4445af0c5252235ffea29916518f45fd9
SHA256

41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119
SHA512

99410fcbcbe33cea77e61fb15ba0495ad2cb5cbffa1d018ad3abad6466a6a5894acef4ae8e20fe270452636ae2843f705d17d05ce771d71b292125e926a2a903
SSDEEP

3072:86jI9XJy7rAnj3WCW2EW52hRx1q315oF8opcnD1hOOrWGzN2lcR2u8JnxIJU+e34:fUZyTUF5oXpcFb5DRsNxIJUc

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	aspack_v212_v242
behavioral1/files/0x0008000000005c51-59.dat	aspack_v212_v242
behavioral1/files/0x0008000000005c51-58.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
2040	MSWDM.EXE
2020	MSWDM.EXE
1332	41E1A278C26A7BCA15AF3D7E72BFC034D42A480922A759C10AB6BF289D47C119.EXE

Loads dropped DLL 2 IoCs

pid	Process
2020	MSWDM.EXE
2020	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe
File opened for modification	C:\Windows\dev2482.tmp	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2040	1228	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe	27
PID 1228 wrote to memory of 2040	1228	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe	27
PID 1228 wrote to memory of 2040	1228	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe	27
PID 1228 wrote to memory of 2040	1228	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe	27
PID 1228 wrote to memory of 2020	1228	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe	28
PID 1228 wrote to memory of 2020	1228	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe	28
PID 1228 wrote to memory of 2020	1228	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe	28
PID 1228 wrote to memory of 2020	1228	41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe	28
PID 2020 wrote to memory of 1332	2020	MSWDM.EXE	29
PID 2020 wrote to memory of 1332	2020	MSWDM.EXE	29
PID 2020 wrote to memory of 1332	2020	MSWDM.EXE	29
PID 2020 wrote to memory of 1332	2020	MSWDM.EXE	29

C:\Users\Admin\AppData\Local\Temp\41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe
"C:\Users\Admin\AppData\Local\Temp\41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1228
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2040
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev2482.tmp!C:\Users\Admin\AppData\Local\Temp\41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\41E1A278C26A7BCA15AF3D7E72BFC034D42A480922A759C10AB6BF289D47C119.EXE
    3⤵
    - Executes dropped EXE
    PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe

Filesize
380KB

MD5
6d778e0f95447e6546553eeea709d03c

SHA1
811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1

SHA256
62abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4

SHA512
a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffaca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
39KB

MD5
25db4a223754f80551e65c2c7701d4f0

SHA1
20faf8297ed428abbbf0f48ff3e83da04f89f303

SHA256
5e39fbcab905796a1ad394fd4f549cbc93e39e5ac140c9e2eb712665df756de8

SHA512
1e0c19cded6c3d44664f219659ee0118090747ce8be0b2e22d75e270b18ac145933b4858b5ca5ab83a8feed5404a0039517ba50802484502b8527bafbd18d07f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
25db4a223754f80551e65c2c7701d4f0

SHA1
20faf8297ed428abbbf0f48ff3e83da04f89f303

SHA256
5e39fbcab905796a1ad394fd4f549cbc93e39e5ac140c9e2eb712665df756de8

SHA512
1e0c19cded6c3d44664f219659ee0118090747ce8be0b2e22d75e270b18ac145933b4858b5ca5ab83a8feed5404a0039517ba50802484502b8527bafbd18d07f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
25db4a223754f80551e65c2c7701d4f0

SHA1
20faf8297ed428abbbf0f48ff3e83da04f89f303

SHA256
5e39fbcab905796a1ad394fd4f549cbc93e39e5ac140c9e2eb712665df756de8

SHA512
1e0c19cded6c3d44664f219659ee0118090747ce8be0b2e22d75e270b18ac145933b4858b5ca5ab83a8feed5404a0039517ba50802484502b8527bafbd18d07f

Download Submit
C:\Windows\dev2482.tmp

Filesize
380KB

MD5
6d778e0f95447e6546553eeea709d03c

SHA1
811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1

SHA256
62abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4

SHA512
a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffaca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f

Download Submit
\Users\Admin\AppData\Local\Temp\41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe

Filesize
380KB

MD5
6d778e0f95447e6546553eeea709d03c

SHA1
811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1

SHA256
62abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4

SHA512
a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffaca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f

Download Submit
\Users\Admin\AppData\Local\Temp\41e1a278c26a7bca15af3d7e72bfc034d42a480922a759c10ab6bf289d47c119.exe

Filesize
380KB

MD5
6d778e0f95447e6546553eeea709d03c

SHA1
811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1

SHA256
62abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4

SHA512
a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffaca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f

Download Submit
memory/1228-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2020-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2040-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2040-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing